It isn’t here yet, but the UK’s Data Protection Bill moved a step closed to becoming the Data Protection Act 2018, as it received a second reading in The House of Commons yesterday. The Bill introduces the UK’s derogations (or variations) for GDPR, which will be enforced from May this year (less than 80 days to go). As the Bill started its journey in the Lords it has already been through its readings, committee and reports stages there, leaving just the committee and reports stages in the commons before its third and final reading, consideration and Royal Assent. There is still a way to go, and the Rt Hon Matt Hancock MP, Secretary of State for Digital, Culture, Media and Sport, did make a glancing reference to the House of Commons having to sit on a Saturday, point to the history of getting the Electric Lighting Act 1882 passed. We will see if this Bill makes it in time, since it needs to be passed before the GDPR deadline.
What Does The Bill Cover – What Does It Replace?
The four main areas covered by the Bill are: general data processing, law enforcement data processing, data processing for national security purposes including processing by the intelligence services, and regulatory oversight and enforcement. Because of the way that UK Data Protection legislation is structured, the Bill covers more than GDPR itself, and it also introduces the LED (Law Enforcement Directive). It is a large and complex Bill, running to over 250 pages, including its Schedules.
The Bill will replace the Data Protection Act 1998, and provides the legal framework for data protection in the UK, supplemented by the GDPR until the UK leaves the EU. The GDPR will still apply after this date, when the GDPR will be incorporated into the UK’s domestic law under the powers in the European Union (Withdrawal) Bill, which is also currently before Parliament.
New But Familiar Principles
The legislation broadly carries over the eight data protection principles from the Data Protection Act 1998. From that perspective, it should not be a big adjustment for businesses who already comply with the current legislation. The principles of “Access” and “Overseas Transfer” do not have a direct equivalent in the GDPR, but are covered under chapters III and V of it. The GDPR also introduces the new principle of “Accountability” – making the controller responsible for compliance with all of the principles, and requiring that they are able to demonstrate their compliance – see the ICO guidance on The GDPR principles. This is, to put it mildly, quite a big shift. The onus is on the controller to show (i.e. document/evidence) that they are following the principles of GDPR. Being ‘compliant’ is not enough, and in fact you can’t be ‘compliant’ with the principles unless you can demonstrate you are, since that it is one of the principles! This puts a greatly increased emphasis and importance on record keeping, documenting decisions, reasoning and activities.
New But Familiar Rights
The rights from the 1998 Data Protection Act are carried over, but with The GDPR right to data portability added:
- The right to be informed.
- The right of access.
- The right to rectification.
- The right to erasure (sometimes referenced as the right to be forgotten).
- The right to restrict processing.
- The right to data portability.
- The right to object.
- Rights and restrictions on profiling / automated decision making.
And Some Key Additions…
The Bill also establishes the basis for the Information Commissioner (The ICO) to enforce the act. If you are in the UK you will likely have received notification of the new charging structure.
The Bill so introduces two new criminal offences. The first is the implementation of Dame Fiona Caldicott’s Review of Data Security Consent and Opt-Outs, which called for criminalising the re-identification of data, where that data had been anonymised. The Bill includes reckless re-identification: “It is an offence for a person knowingly or recklessly to re-identify information that is de-identified personal data without the consent of the controller responsible for de-identifying the personal data.” This has been a topic of contention in the security and research industry, and a number of amendments and caveats have been added, there may also be more changes. For those working with big data, or in data science, this is going to be a key item to watch.
Unlawfully obtaining personal data remains an offence, but there is also now an additional offence of altering personal data to prevent disclosure. This covers the situation where a data subject has exercised their right to obtain data held on them. It is an offence for the controller, or an officer of the controller, or anyone employed/controlled by them to “alter, deface, block, erase, destroy or conceal information with the intention of preventing disclosure of all or part of the information that the person making the request would have been entitled to receive.”
The Bill is, obviously, not finalised, and there will almost certainly be more amendments. The ICO is working hard to update their guidance, and is the primary source for information for UK organisations that need to comply with The Bill. It is a highly complex area, and one in which one clearly needs to seek expert advice for your specific situation. Timelines for complying with the new regulation are likely to be tight.
Have Your Say
If you have relevant expertise and experience, or a special interested, you can have your say on the Data Protection Bill: The Public bill committee is taking written evidence, up until the 27th of March.